3005 matches found
WordPress Hero Maps Premium <=2.2.1 - Cross-Site Scripting
WordPress Hero Maps Premium plugin 2.2.1 and prior contains an unauthenticated reflected cross-site scripting vulnerability via the views/dashboard/index.php p parameter. id: CVE-2019-19134 info: name: WordPress Hero Maps Premium =2.2.2 or apply the vendor-provided patch to fix the XSS...
WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'armdirectorypagingaction' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of...
Premium Addons for Elementor - Unauthenticated Information Disclosure
Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the gettemplatecontent AJAX handler, allowing unauthenticated attackers to retrieve private...
GP Premium <= 2.4.0 - Cross-Site Scripting
The GP Premium plugin for WordPress up to 2.4.0 is vulnerable to reflected XSS via the 'message' parameter in inc/verify.php lines 95-101, where a message passed with slactivation=false is URL-decoded and used unsanitized in addsettingserror, allowing XSS payloads to be reflected in admin notices...
CVE-2026-12141
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...
CVE-2026-12141 Premium Addons for Elementor <= 4.11.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'premium_tooltip_text' Parameter
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...
CVE-2026-12141
The CVE-2026-12141 entry describes a Stored Cross-Site Scripting vulnerability in the Premium Addons for Elementor – Powerful Elementor Templates & Widgets WordPress plugin. Affected component: the premium_tooltip_text parameter; impact arises from insufficient input sanitization and output escap...
EUVD-2026-43142
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumtooltiptext' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes i...
CVE-2026-15158
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
EUVD-2026-42549
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
CVE-2026-15158
Blocksy Companion
CVE-2026-15158
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
PT-2026-56760
Name of the Vulnerable Software and Affected Versions Blocksy Companion versions prior to 2.1.47 Description The Blocksy Companion plugin for WordPress allows unauthenticated arbitrary file upload through the save attachments function. The issue occurs because the Custom Fonts extension uses a wp...
CVE-2026-11962
The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and...
CVE-2026-57353
Subscriber Broken Access Control in Link Whisper Premium = 2.9.0 versions...
CVE-2026-27060
Contributor PHP Object Injection in ARMember Premium = 7.0 versions...
CVE-2026-57750
The CVE-2026-57750 entry concerns the WordPress plugin ez Form Calculator Premium (versions up to and including 2.14.1.2). The vulnerability is described as Unauthenticated Broken Access Control , implying that unauthenticated users can access or manipulate resources they should not be able to. T...
CVE-2026-57750
Unauthenticated Broken Access Control in ez Form Calculator Premium = 2.14.1.2 versions...
CVE-2026-57353
The CVE concerns WordPress Link Whisper Premium plugin <= 2.9.0 with a Broken Access Control issue. The accompanying CVSS data (Patchstack, v3.1) indicates an external attack over network, with low privileges and no user interaction, potentially affecting integrity (I: High) while confidential...
CVE-2026-27060 WordPress ARMember Premium plugin <= 7.0 - PHP Object Injection vulnerability
Contributor PHP Object Injection in ARMember Premium = 7.0 versions...